:::

網站導覽
目前位置:主選單
最新消息
:::
:::

最新消息

MENU

【資安漏洞預警】SAP針對旗下多款產品發布重大資安公告
[Security Vulnerability Warning] SAP issues major security announcement for several of its products

公告類別:行政公告
發佈日期:2025/08/18 至 2026/02/18
點閱數:26

轉發 台灣電腦網路危機處理暨協調中心 TWCERTCC-200-202508-00000009

[內容說明]
【CVE-2025-42957,CVSS:9.9】 此漏洞存在於SAP S/4HANA 和 SAP SCM Characteristic Propagation,允許具有使用者權限的攻擊者利用RFC公開功能模組的漏洞,將任意ABAP程式碼注入系統,從而繞過必要的授權檢查。

【CVE-2025-42950,CVSS:9.9】 該漏洞存在於SAP Landscape Transformation (SLT) ,允許具有使用者權限的攻擊者透過RFC公開功能模組的漏洞,將任意ABAP程式碼注入系統,從而繞過必要的授權檢查。

【CVE-2025-42951,CVSS:8.8】 SAP Business One (SLD) 存在授權漏洞,允許經過驗證的攻擊者透過呼叫對應的API取得資料庫的管理員權限。

[影響平台]
● SAP S/4HANA (Private Cloud or On-Premise) S4CORE 102, 103, 104, 105, 106, 107, 108版本
● SAP Landscape Transformation (Analysis Platform) DMIS 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020 版本
● SAP Business One (SLD) B1_ON_HANA 10.0, SAP-M-BO 10.0 版本

[建議措施]
根據官方網站釋出的解決方式進行修補:
https://support.sap.com/en/my-support/knowledge-base/security-notes-news/august-2025.html

[參考資料]
https://www.twcert.org.tw/tw/cp-169-10324-fd8bf-1.html
Forwarded by Taiwan Computer Network Crisis Response and Coordination Center (TWCERTCC-200-202508-00000009)

[Description]
[CVE-2025-42957, CVSS: 9.9] This vulnerability exists in SAP S/4HANA and SAP SCM Characteristic Propagation. It allows an attacker with user privileges to exploit a vulnerability in an RFC-exposed function module to inject arbitrary ABAP code into the system, thereby bypassing necessary authorization checks.

[CVE-2025-42950, CVSS: 9.9] This vulnerability exists in SAP Landscape Transformation (SLT). It allows an attacker with user privileges to exploit a vulnerability in an RFC-exposed function module to inject arbitrary ABAP code into the system, thereby bypassing necessary authorization checks.

[CVE-2025-42951, CVSS: 8.8] An authorization vulnerability in SAP Business One (SLD) allows an authenticated attacker to gain database administrator privileges by calling the corresponding API.

[Affected Platforms]
● SAP S/4HANA (Private Cloud or On-Premise) S4CORE versions 102, 103, 104, 105, 106, 107, and 108
● SAP Landscape Transformation (Analysis Platform) DMIS versions 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, and 2020
● SAP Business One (SLD) B1_ON_HANA 10.0, SAP-M-BO 10.0 Version

[Recommended Action]
Patch according to the solution released on the official website:

https://support.sap.com/en/my-support/knowledge-base/security-notes-news/august-2025.html

[Reference]

https://www.twcert.org.tw/tw/cp-169-10324-fd8bf-1.html

返回列表

照片